[users@httpd] shtml and suexec

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I have a suexec-related question. I'm running (and looking at the source
code for) Apache 1.3.33.

I am mapping the Host: header to the filesystem path using mod_rewrite and a
dbm map, for mass virtual hosting. Since "User" can only be set statically
inside a <VirtualHost> container, it looks like I can't use Apache's suexec,
so I need something like cgiwrap which runs under the userid of the script
file itself.

However, this model seems to break down for .shtml pages which contain, say,
    <!--#exec cmd="foo"-->

Firstly, I need "foo" to run under the userid of the .shtml page (or the
website owner), not the userid of program "foo".

Secondly, shtml users expect their cmd to be run under a shell; however in
main/util_script.c, I see that if suexec is active, the shell is not run.

    if (ap_suexec_enabled
...
        if (shellcmd) {
            execle(SUEXEC_BIN, SUEXEC_BIN, execuser, grpname, argv0,
                   NULL, env);
        }

... but in the non-suexec case:

   else {
        if (shellcmd) {
            execle(SHELL_PATH, SHELL_PATH, "-c", argv0, NULL, env);
        }

So as far as I can tell <!--#exec cmd="echo hello"--> isn't going to work if
suexec is active, since in suexec, argv[3]="echo hello". I guess the wrapper
could run a shell, but there's no flag telling it to do so.

I am considering whether I need to write my own setuid wrapper, and pass the
site username in an environment variable: e.g.

RewriteMap      hostmap         dbm:/conf/hostmap

RewriteCond ${hostmap:${tolower:%{HTTP_HOST}}}    root=(/[^,]+),uid=(\d+)
RewriteRule ^(.*\.shtml) %1$1 [E=UID:%2]

This seems pretty hairy to me. Or perhaps the wrapper can look at
SCRIPT_FILENAME or PATH_TRANSLATED and stat() that file?

Anybody have any other suggestions?

A third party module which uses a .db or .cdb file to lookup the "Host:"
header and set docroot+UID+GID would be acceptable.

Otherwise, I guess what I really want is to be able to set [USER=...] in a
mod_rewrite rule, but looking at the docs for apache 2.0 and 2.1, I don't
think this feature has been added.

Regards,

Brian Candler.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux